Can you create a new questions where you describe your issue and not use any old solved question? ... View more

Please don't just copy-paste things without trying to understand what the howtos tell you to do. And while you probably could unpack the package (not install!) and maybe run a limited subset of functionality without root privileges, you won't be able to do that without understanding why you need root for package install. ... View more

@sccheah82  Hi, If you're uploading data through Splunk Web, you can adjust line breaking and timestamp extraction on the Set Source Type page. 2-14-2022 Example one. 2-14-2022 Example two with leading space. (empty line) Note that very old events (> 900 days by default but perhaps earlier in your environment) may be quarantined (written to a separate bucket), and depending on your environment's retention settings, may not remain online for as long as you'd hoped. Check with your Splunk administrator for your environment's specific characteristics. ... View more

@gcusello's answer is generally right but there is more to this than that 🙂 As always there are two factors you have to weigh - performance and reliability (also in splunk's case - data distribution). If you're talking about "insertion", I'd assume you want to push events via HEC (with different methods you can hit different issues). With HEC you can use separate HTTP POSTs for each event or can combine multiple events into a single HTTP POST request. And here's where the fun begins 🙂 With a "one event per request" you have more flexibility and can easily select and replay each single event in case of some error. Furthermore, if you're connecting through a load-balancer, each request can be routed to a different backend. If - on the other hand - you're sending in batches - the performance will typically be higher but in case of problems you might have problems identifying problematic events (especially if you don't use acknowledgements), you might need to retransmit whole batch if you have network problems and of course whole request gets routed to a single server. So there are pros and cons for each approach. Typically high-volume sources (like SC4S) will most probably send data in reasonably-sized batches (like 100 or 1000 events per request). Also remember that there is a limit for each separate HEC-ingested event (it's 5MB by default) and there are some limits on http input parameters (but they can be tweaked). https://docs.splunk.com/Documentation/Splunk/9.0.3/Admin/Limitsconf#.5Bhttp_input.5D ... View more

The first command works because it uses correct syntax. The others attempt to replace a set of key=value pairs with a command that returns who knows what.  Per the Search Reference Manual: WHERE clauses in tstat searches must contain field-value pairs that are indexed, as well as characters that are not major breakers or minor breakers. If you can get the loadjob or dbxquery command to return a list of key=value pairs then it might work.  Keep in mind that both are generating commands so they must be prefixed by |.  You may need to use a subsearch containing a format command. | tstats count where date_time="2022*" ( [ | loadjob savedsearch="XXX:YYY" | format ] ) groupby date_time | fields date_time Notice how the where clause moved into the tstats command for better performance and the redundant dedup command was removed (the groupby option removes duplicates). ... View more

Hi @inventsekar  Were you able to call the support number and get the user cleared? If not, please let me know. Thanks ... View more

Hi @sccheah82, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more